package cn.lili.security;

import cn.hutool.core.util.StrUtil;
import cn.hutool.json.JSONUtil;
import cn.lili.cache.Cache;
import cn.lili.cache.CachePrefix;
import cn.lili.common.security.AuthUser;
import cn.lili.common.security.enums.PermissionEnum;
import cn.lili.common.security.enums.SecurityEnum;
import cn.lili.common.security.enums.UserEnums;
import cn.lili.common.security.token.SecretKeyUtil;
import cn.lili.common.utils.ResponseUtil;
import cn.lili.modules.member.service.MemberService;
import cn.lili.modules.permission.entity.dos.Role;
import com.google.gson.Gson;
import io.jsonwebtoken.Claims;
import io.jsonwebtoken.ExpiredJwtException;
import io.jsonwebtoken.Jwts;
import lombok.SneakyThrows;
import lombok.extern.slf4j.Slf4j;
import org.springframework.beans.factory.annotation.Autowired;
import org.springframework.security.authentication.AuthenticationManager;
import org.springframework.security.authentication.UsernamePasswordAuthenticationToken;
import org.springframework.security.core.GrantedAuthority;
import org.springframework.security.core.authority.SimpleGrantedAuthority;
import org.springframework.security.core.context.SecurityContextHolder;
import org.springframework.security.web.authentication.www.BasicAuthenticationFilter;
import org.springframework.util.PatternMatchUtils;
import org.springframework.web.bind.annotation.RequestMethod;

import javax.naming.NoPermissionException;
import javax.servlet.FilterChain;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;
import java.util.ArrayList;
import java.util.List;
import java.util.Map;

/**
 * 管理端token过滤
 *
 * @author Chopper
 */
@Slf4j
public class ManagerAuthenticationFilter extends BasicAuthenticationFilter {

	private final Cache cache;

	public ManagerAuthenticationFilter(AuthenticationManager authenticationManager, Cache cache) {
		super(authenticationManager);
		this.cache = cache;
	}

	@SneakyThrows
	@Override
	protected void doFilterInternal(HttpServletRequest request, HttpServletResponse response, FilterChain chain) {

		// 从header中获取jwt
		String jwt = request.getHeader(SecurityEnum.HEADER_TOKEN.getValue());
		// 如果没有token 则return
		if (StrUtil.isBlank(jwt)) {
			// response.sendError(403);
			chain.doFilter(request, response);
			return;
		}

		// 获取用户信息，存入context
		UsernamePasswordAuthenticationToken authentication = getAuthentication(jwt, response);
		// 自定义权限过滤
		if (authentication != null) {
			customAuthentication(request, response, authentication);
			SecurityContextHolder.getContext().setAuthentication(authentication);
		}
		chain.doFilter(request, response);
	}

	/**
	 * 自定义权限过滤
	 *
	 * @param request
	 *            请求
	 * @param response
	 *            响应
	 * @param authentication
	 *            用户信息
	 */
	private void customAuthentication(HttpServletRequest request, HttpServletResponse response,
			UsernamePasswordAuthenticationToken authentication) throws NoPermissionException {
		AuthUser authUser = (AuthUser) authentication.getDetails();
		String requestUrl = request.getRequestURI();

		UserEnums userEnums = UserEnums.MANAGER;
		if (null != authUser.getRole()) {
			userEnums = authUser.getRole();
		}

		// 如果不是超级管理员， 则鉴权
		if (!authUser.getIsSuper()) {
			// 获取缓存中的权限
			Map<String, List<String>> permission = (Map<String, List<String>>) cache
					.get(CachePrefix.PERMISSION_LIST.getPrefix(userEnums) + authUser.getId());

			// 获取数据(GET 请求)权限
			if (request.getMethod().equals(RequestMethod.GET.name())) {
				// 如果用户的超级权限和查阅权限都不包含当前请求的api
				if (match(permission.get(PermissionEnum.SUPER.name()), requestUrl)
						|| match(permission.get(PermissionEnum.QUERY.name()), requestUrl)) {
				} else {
					ResponseUtil.output(response, ResponseUtil.resultMap(false, 400, "权限不足"));
					log.error("当前请求路径：{},所拥有权限：{}", requestUrl, JSONUtil.toJsonStr(permission));
					throw new NoPermissionException("权限不足");
				}
			}
			// 非get请求（数据操作） 判定鉴权
			else {
				if (!match(permission.get(PermissionEnum.SUPER.name()), requestUrl)) {
					ResponseUtil.output(response, ResponseUtil.resultMap(false, 400, "权限不足"));
					log.error("当前请求路径：{},所拥有权限：{}", requestUrl, JSONUtil.toJsonStr(permission));
					throw new NoPermissionException("权限不足");
				}
			}
		}
	}

	/**
	 * 校验权限
	 *
	 * @param permissions
	 *            权限集合
	 * @param url
	 *            请求地址
	 * @return 是否拥有权限
	 */
	boolean match(List<String> permissions, String url) {
		if (permissions == null || permissions.isEmpty()) {
			return false;
		}
		return PatternMatchUtils.simpleMatch(permissions.toArray(new String[0]), url);
	}

	/**
	 * 获取token信息
	 *
	 * @param jwt
	 *            token信息
	 * @param response
	 *            响应
	 * @return 获取鉴权对象
	 */
	private UsernamePasswordAuthenticationToken getAuthentication(String jwt, HttpServletResponse response) {

		try {
			Claims claims = Jwts.parser().setSigningKey(SecretKeyUtil.generalKeyByDecoders()).parseClaimsJws(jwt)
					.getBody();
			// 获取存储在claims中的用户信息
			String json = claims.get(SecurityEnum.USER_CONTEXT.getValue()).toString();
			AuthUser authUser = new Gson().fromJson(json, AuthUser.class);

			UserEnums userEnums = UserEnums.MANAGER;
			if (null != authUser.getRole()) {
				userEnums = authUser.getRole();
			}

			// 校验redis中是否有权限
			if (cache.hasKey(CachePrefix.ACCESS_TOKEN.getPrefix(userEnums) + jwt)) {
				// 用户角色
				List<GrantedAuthority> auths = new ArrayList<>();
				auths.add(new SimpleGrantedAuthority("ROLE_" + authUser.getRole().name()));
				// 构造返回信息
				UsernamePasswordAuthenticationToken authentication = new UsernamePasswordAuthenticationToken(
						authUser.getUsername(), null, auths);
				authentication.setDetails(authUser);
				return authentication;
			}
			ResponseUtil.output(response, 403, ResponseUtil.resultMap(false, 403, "登录已失效，请重新登录"));
			return null;
		} catch (ExpiredJwtException e) {
			log.debug("user analysis exception:", e);
		} catch (Exception e) {
			log.error("other exception:", e);
		}
		return null;
	}
}
